Skip to main content
McAfee Enterprise MVISION Cloud

Shadow Service Anomaly Descriptions

The following are the anomalies tracked for your Shadow Services. They should not be confused with the three Sanctioned Service anomaly categories: Access AnomaliesAdministration Anomalies, and Data Anomalies.

Data Transfer Anomaly

The Data Transfer Anomaly monitors all data transferred by the user in every action. Each event from the logs is compared to pre-defined thresholds and an anomaly is generated if the data transfer exceeds the threshold.

Multiple anomalies observed for the same user, cloud service, and user-action (download or upload) combination within a short period (typically two hours) are collapsed into one anomaly. A similar count and risk score of the anomaly are then appropriately adjusted. Anomalies are generated for upload and download separately.

This anomaly threshold can be adjusted.

Service Category based Data Transfer Anomaly

All cloud services in the MVISION Cloud Registry are characterized (based on the features and use cases that the cloud service addresses) into an appropriate Service Category. Service Category-based Data Transfer Anomalies are generated when cloud service-specific thresholds are not available (typically due to lack of sufficient historical data) or when the observed user-action exceeds data transfer thresholds specified at the Service Category level.

This anomaly threshold can be adjusted.

MIME Type Anomaly

MIME Type captures the nature of the content or file that is associated with a data transfer. Using domain knowledge and historical data, accepted data transfer associated with specific MIME types has been identified along with appropriate anomaly thresholds. MIME Type Data Transfer Anomalies are generated when the observed user-action exceeds data transfer thresholds specified for the MIME type associated with the observed user-action.

This anomaly threshold can be adjusted.

IMPORTANT: You can't adjust the threshold for a MIME Type anomaly that was created before MVISION Cloud 5.5.1, (Sept. 23, 2021). To adjust the threshold for an anomaly created before this date, contact Support

Service Access Count Anomaly

To generate a Service Access Count Anomaly, the total number of times that a user accesses a particular cloud service over 24 hours (in one calendar date) is compared to pre-defined thresholds. If the total access count exceeds the thresholds, an anomaly is generated.

This anomaly threshold can be adjusted.

Repeat Offender Anomaly

The Repeat Offender Anomaly is generated by users who trigger repeated denials across cloud storage providers. This "service knocking" is the modern-day equivalent of "port knocking", an older hacking technique used to determine which ports were open and vulnerable on a firewall. Similarly, service knocking allows an attacker to discover which cloud services are open outbound on a proxy or firewall to exfiltrate data.

MVISION Cloud identifies these repeated data exfiltration attempts. Currently, we review the past seven days to identify the number of unique service denials for a user using cloud storage services. The count of denials is compared to a pre-defined threshold and an anomaly is generated if the total number of denials exceeds the threshold.

Unmatched Data Transfer Anomaly

NOTE: This anomaly is reserved for future functionality.

Web traffic is segmented into cloud service relevant traffic and traffic to domains and destinations not recognized by MVISION Cloud’s Registry (called Unmatched data transfers).

The Unmatched Data Transfer Anomaly is generated only for unmatched data uploads.

The total unmatched data uploaded by the user over 24 hours (in one calendar date) is compared to pre-defined thresholds and an anomaly is generated if the total unmatched data upload exceeds the thresholds.

Thresholds are customized to every customer’s user base and are defined at a user level (aggregating unmatched data uploads across all unrecognized domains over 24 hours). Only one anomaly per user is generated for one calendar date.

Periodicity Anomaly

NOTE: This anomaly is reserved for future functionality.

Web traffic is segmented into cloud service relevant traffic and traffic to domains and destinations not recognized by MVISION Cloud’s Registry (called Unmatched data transfers).

The Periodic Anomaly is generated only for unmatched data uploads.

Unmatched data uploads for individual users aggregated at an hourly level are analyzed to detect periodic patterns and a periodicity anomaly is generated when uploads greater than predefined thresholds (for the magnitude of uploads) are observed to display periodic or programmatic patterns.

Thresholds are set consistently across global users and not customized to every customer. Thresholds are specified at a user level and only one anomaly per user is generated for one calendar date.

Unsupported Device Anomaly

The Unsupported Device Anomaly is a yearly anomaly activated to indicate that users are using an operating system, browsers, or software that is no longer supported. Therefore it poses a risk resulting from unpatched security vulnerabilities.

403 Denied Access Anomaly

The 403 Denied Access Anomaly indicates that user activity has triggered an excessive number of 403 denied web requests. It can be indicative of a malicious piece of software attempting to take down a service or a misconfigured application or software consuming unnecessary bandwidth.

  • Was this article helpful?